kubectl apply -f test-leap.yaml
kubectl exec -it test-leap-pod -- /bin/bash
SEE /etc/containers/registries.conf
rccrio restart
# For more information on this configuration file, see containers-registries.conf(5). | |
# | |
# Registries to search for images that are not fully-qualified. | |
# i.e. foobar.com/my_image:latest vs my_image:latest | |
[registries.search] | |
registries = ["docker.io"] | |
# Registries that do not use TLS when pulling images or uses self-signed | |
# certificates. | |
[registries.insecure] | |
registries = ["kube-registry.kube-system.svc.cluster.local:5000", "registry.suse.de"] | |
# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify | |
# "*", then the docker daemon will only be allowed to pull from registries listed above in the search | |
# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. | |
# It is recommended that you use the trust policy file /etc/containers/policy.json to control which | |
# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and | |
# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... | |
[registries.block] | |
registries = [] |
{ | |
"log-level": "warn", | |
"log-driver": "json-file", | |
"log-opts": { | |
"max-size": "10m", | |
"max-file": "5" | |
}, | |
"insecure-registries":["kube-registry.kube-system.svc.cluster.local:5000", "registry.suse.de"] | |
} |
--- | |
apiVersion: apps/v1beta1 | |
kind: Deployment | |
metadata: | |
name: caasp-mariadb | |
labels: | |
app: caasp-mariadb | |
spec: | |
strategy: | |
type: Recreate | |
template: | |
metadata: | |
labels: | |
app: caasp-mariadb | |
tier: mysql | |
spec: | |
containers: | |
- image: registry.suse.de/devel/casp/head/controllernode/sle_15/caasp/v4/mariadb:10.0.35 | |
name: obs-mariadb | |
env: | |
- name: MYSQL_ROOT_PASSWORD | |
value: opensuse | |
ports: | |
- containerPort: 3306 | |
name: mysql |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: kube-registry | |
namespace: kube-system | |
spec: | |
# clusterIP: 10.96.0.99 | |
ports: | |
- name: https | |
port: 5000 | |
protocol: TCP | |
targetPort: 5000 | |
sessionAffinity: None | |
type: ClusterIP | |
selector: | |
k8s-app: kube-registry |
apiVersion: v1 | |
kind: ReplicationController | |
metadata: | |
name: kube-registry-v0 | |
namespace: kube-system | |
labels: | |
k8s-app: kube-registry | |
version: v0 | |
kubernetes.io/cluster-service: "true" | |
spec: | |
replicas: 3 | |
selector: | |
k8s-app: kube-registry | |
version: v0 | |
template: | |
metadata: | |
labels: | |
k8s-app: kube-registry | |
version: v0 | |
kubernetes.io/cluster-service: "true" | |
spec: | |
containers: | |
- name: registry | |
image: registry:2 | |
imagePullPolicy: Always | |
#resources: | |
# limits: | |
# cpu: 100m | |
# memory: 100Mi | |
env: | |
# Configuration reference: https://docs.docker.com/registry/configuration/ | |
- name: REGISTRY_HTTP_ADDR | |
value: :5000 | |
- name: REGISTRY_HTTP_SECRET | |
value: "Ple4seCh4ngeThisN0tAVerySecretV4lue" | |
- name: REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY | |
value: /var/lib/registry | |
volumeMounts: | |
- name: image-store | |
mountPath: /var/lib/registry | |
ports: | |
- containerPort: 5000 | |
name: registry | |
protocol: TCP | |
livenessProbe: | |
httpGet: | |
path: / | |
port: registry | |
readinessProbe: | |
httpGet: | |
path: / | |
port: registry | |
volumes: | |
- name: image-store | |
flexVolume: | |
driver: ceph.rook.io/rook | |
fsType: ceph | |
options: | |
fsName: myfs # name of the filesystem specified in the filesystem CRD. | |
clusterNamespace: rook-ceph # namespace where the Rook cluster is deployed | |
# by default the path is /, but you can override and mount a specific path of the filesystem by using the path attribute | |
# the path must exist on the filesystem, otherwise mounting the filesystem at that path will fail | |
# path: /some/path/inside/cephfs | |
# (Optional) Specify an existing Ceph user that will be used for mounting storage with this StorageClass. | |
#mountUser: user1 | |
# (Optional) Specify an existing Kubernetes secret name containing just one key holding the Ceph user secret. | |
# The secret must exist in each namespace(s) where the storage will be consumed. | |
#mountSecret: ceph-user1-secret |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: obs-mariadb | |
labels: | |
app: obs-mariadb | |
spec: | |
ports: | |
- port: 3306 | |
selector: | |
app: obs-mariadb | |
tier: mysql | |
clusterIP: None | |
--- | |
apiVersion: v1 | |
kind: PersistentVolumeClaim | |
metadata: | |
name: obs-mariadb-pv-claim | |
labels: | |
app: obs-mariadb | |
spec: | |
storageClassName: rook-ceph-block | |
accessModes: | |
- ReadWriteOnce | |
resources: | |
requests: | |
storage: 20Gi | |
--- | |
apiVersion: apps/v1beta1 | |
kind: Deployment | |
metadata: | |
name: obs-mariadb | |
labels: | |
app: obs-mariadb | |
spec: | |
strategy: | |
type: Recreate | |
template: | |
metadata: | |
labels: | |
app: obs-mariadb | |
tier: mysql | |
spec: | |
containers: | |
- image: kube-registry.kube-system.svc.cluster.local:5000/obs-mariadb:latest | |
name: obs-mariadb | |
env: | |
- name: MYSQL_ROOT_PASSWORD | |
value: opensuse | |
ports: | |
- containerPort: 3306 | |
name: mysql | |
volumeMounts: | |
- name: obs-mariadb-persistent-storage | |
mountPath: /var/lib/mysql | |
securityContext: | |
privileged: true | |
volumes: | |
- name: obs-mariadb-persistent-storage | |
persistentVolumeClaim: | |
claimName: obs-mariadb-pv-claim |
--- | |
apiVersion: v1 | |
kind: PersistentVolumeClaim | |
metadata: | |
name: obs-repserver-pv-claim | |
labels: | |
app: obs-repserver | |
spec: | |
storageClassName: rook-ceph-block | |
accessModes: | |
- ReadWriteOnce | |
resources: | |
requests: | |
storage: 20Gi | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: obs-repserver | |
spec: | |
selector: | |
app: obs-repserver | |
clusterIP: None | |
ports: | |
- name: obs-repserver | |
port: 5252 | |
targetPort: 5252 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: obs-repserver | |
labels: | |
app: obs-repserver | |
spec: | |
strategy: | |
type: Recreate | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: obs-repserver | |
template: | |
metadata: | |
labels: | |
app: obs-repserver | |
spec: | |
containers: | |
- name: obs-repserver | |
image: kube-registry.kube-system.svc.cluster.local:5000/obs-repserver:latest | |
ports: | |
- containerPort: 5352 | |
volumeMounts: | |
- name: obs-repserver-persistent-storage | |
mountPath: /srv/obs | |
volumes: | |
- name: obs-repserver-persistent-storage | |
persistentVolumeClaim: | |
claimName: obs-repserver-pv-claim |
--- | |
apiVersion: v1 | |
kind: PersistentVolumeClaim | |
metadata: | |
name: obs-srcserver-pv-claim | |
labels: | |
app: obs-srcserver | |
spec: | |
storageClassName: rook-ceph-block | |
accessModes: | |
- ReadWriteOnce | |
resources: | |
requests: | |
storage: 20Gi | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: obs-srcserver | |
spec: | |
selector: | |
app: obs-srcserver | |
clusterIP: None | |
ports: | |
- name: obs-srcserver | |
port: 5352 | |
targetPort: 5352 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: obs-srcserver | |
labels: | |
app: obs-srcserver | |
spec: | |
strategy: | |
type: Recreate | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: obs-srcserver | |
template: | |
metadata: | |
labels: | |
app: obs-srcserver | |
spec: | |
containers: | |
- name: obs-srcserver | |
image: kube-registry.kube-system.svc.cluster.local:5000/obs-srcserver:latest | |
ports: | |
- containerPort: 5352 | |
volumeMounts: | |
- name: obs-srcserver-persistent-storage | |
mountPath: /srv/obs | |
volumes: | |
- name: obs-srcserver-persistent-storage | |
persistentVolumeClaim: | |
claimName: obs-srcserver-pv-claim |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: obs-worker-deployment | |
labels: | |
app: obs-worker | |
spec: | |
replicas: 3 | |
selector: | |
matchLabels: | |
app: obs-worker | |
template: | |
metadata: | |
labels: | |
app: obs-worker | |
spec: | |
containers: | |
- name: obs-worker | |
image: kube-registry.kube-system.svc.cluster.local:5000/obs-worker:latest | |
ports: | |
- containerPort: 8888 | |
command: ["/usr/lib/obs/server/containerworker"] |
apiVersion: policy/v1beta1 | |
kind: PodSecurityPolicy | |
metadata: | |
name: psp-privileged | |
spec: | |
fsGroup: | |
rule: RunAsAny | |
privileged: true | |
runAsUser: | |
rule: RunAsAny | |
seLinux: | |
rule: RunAsAny | |
supplementalGroups: | |
rule: RunAsAny | |
volumes: | |
- '*' | |
allowedCapabilities: | |
- '*' | |
hostPID: true | |
hostIPC: true | |
hostNetwork: true |
apiVersion: ceph.rook.io/v1 | |
kind: CephBlockPool | |
metadata: | |
name: replicapool | |
namespace: rook-ceph | |
spec: | |
failureDomain: host | |
replicated: | |
size: 3 | |
--- | |
apiVersion: storage.k8s.io/v1 | |
kind: StorageClass | |
metadata: | |
name: rook-ceph-block | |
provisioner: ceph.rook.io/block | |
parameters: | |
blockPool: replicapool | |
# The value of "clusterNamespace" MUST be the same as the one in which your rook cluster exist | |
clusterNamespace: rook-ceph | |
# Specify the filesystem type of the volume. If not specified, it will use `ext4`. | |
fstype: xfs | |
# Optional, default reclaimPolicy is "Delete". Other options are: "Retain", "Recycle" as documented in https://kubernetes.io/docs/concepts/storage/storage-classes/ | |
reclaimPolicy: Retain |
apiVersion: v1 | |
kind: Pod | |
metadata: | |
name: test-leap-pod | |
spec: | |
containers: | |
- name: test-leap-cont | |
image: registry.opensuse.org/opensuse/leap:15 | |
tty: true | |
securityContext: | |
privileged: true |